gopls/internal/lsp/mod: add the vulncheck diagnostics mode
When user sets `"ui.vulncheck": "Imports"`, gopls will run the
vulnerability scanning on the modules used in the project
as part of the go.mod diagnostics. This scanning mode is less
expensive than the govulncheck callgraph analysis so it can
run almost in real time, but it is less precise than the govulncheck
callgraph analysis.
In the follow up change, we will add a code action that
triggers the more precise govulncheck callgraph analysis.
Change-Id: Ibf479c733c7e1ff98a3e74854c0f77ac6a6b5445
Reviewed-on: https://go-review.googlesource.com/c/tools/+/453156
gopls-CI: kokoro <noreply+kokoro@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Robert Findley <rfindley@google.com>
Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com>
diff --git a/gopls/internal/lsp/source/api_json.go b/gopls/internal/lsp/source/api_json.go
index fc691a1..91b676a 100755
--- a/gopls/internal/lsp/source/api_json.go
+++ b/gopls/internal/lsp/source/api_json.go
@@ -499,6 +499,24 @@
Hierarchy: "ui.diagnostic",
},
{
+ Name: "vulncheck",
+ Type: "enum",
+ Doc: "vulncheck enables vulnerability scanning.\n",
+ EnumValues: []EnumValue{
+ {
+ Value: "\"Imports\"",
+ Doc: "`\"Imports\"`: In Imports mode, `gopls` will report vulnerabilities that affect packages\ndirectly and indirectly used by the analyzed main module.\n",
+ },
+ {
+ Value: "\"Off\"",
+ Doc: "`\"Off\"`: Disable vulnerability analysis.\n",
+ },
+ },
+ Default: "\"Off\"",
+ Status: "experimental",
+ Hierarchy: "ui.diagnostic",
+ },
+ {
Name: "diagnosticsDelay",
Type: "time.Duration",
Doc: "diagnosticsDelay controls the amount of time that gopls waits\nafter the most recent file modification before computing deep diagnostics.\nSimple diagnostics (parsing and type-checking) are always run immediately\non recently modified packages.\n\nThis option must be set to a valid duration string, for example `\"250ms\"`.\n",
